Practice Domain Name Proxy Liability and Handling Hidden Parties

  1. For the past few months I battled a previously unknown spammer who uses a domain name proxy or “privacy” service to conceal his identity as a website operator. The website hosting company and the domain name privacy service both refused to help or take action. Should domain name proxies be held liable for client abuses similar to the way a homeowner might be found criminal liable in hiding a fugitive from justice? In addition to a brief coverage of proxy and privacy issues, I'll share some SEO and webmaster tricks for getting beyond private domain name registration and shutting down spammy websites that may impact your business.

    Domain Name Proxy Services – A Shield for Committing Abuse


    article spam submission wordpress.png

    While there are legitimate reasons to use a proxy service, a most common purpose is to hide from abusive or objectionable activity online. Several years ago over 200 articles on TheLaw.com were scraped and posted on another site for the purpose of attracting search engine traffic and pay per click ad revenue. But in addition to ripping our content, they also copied our logo and internal site backlinks. As this presented an obvious breach of copyright and trademark law, the proxy service I contacted terminated its relationship with the website owner after receiving my complaint. After the domain name owner's name and address was publicly exposed, the entire website disappeared shortly thereafter. This is not surprising and public exposure of a wrongdoer's identity will frequently act as a deterrent against wrongful activities.

    But for the past several months, a person previously unknown would attempt to upload thousands of article spam submissions using an automated script. This is not only a clear violation of our terms of use but also of malicious behavior. These useless articles included hyperlinks back to their “money site” (for example, "nortoncouponcodes.com"), which contains discount codes and commission generating hyperlinks to buy Norton Antivirus software from a third party store. While our security measures blocked most of the attempts, cleaning up the resulting mess could be time consuming. On even larger sites and those with high activity, the cost and effort required to continuously maintain adequate security is enormous. An example of the article spam appears below to the left.

    article spam links in post.png
    spam website identity theft fake owner.png

    When I inspected the nortoncouponcodes.com website, it's malicious and avaricious intentions were immediately clear. The “webmaster” listed in the sidebar of the site is “Evan S.” but the accompanying photo was certainly lifted from one of several websites run by a former political candidate with a different name. "Brian H." - the person pictured - confirmed this to be the case via email correspondence. The New York street address listed contains no building number and two different street numbers. The person answering the phone number claims no knowledge of this website. The email address listed is non-functional. And a “whois” lookup for the registered owner of the domain name comes up as “Domains By Proxy." This company is owned by Godaddy who is, perhaps not coincidentally, also the host of the nortoncouponcodes website. Emails to reach the owner of this site using the Domains By Proxy email address went unanswered. So what does a webspam victim do next? Can you expect any cooperation from a domain proxy or web hosting company?

    Free Websites v. Sites with Vanity Domain Names


    It is common for spammers to create these money sites using free website creation services like Tumblr, Weebly and Hubpages. These aren't independent sites but rather subsites of the publisher's own site. For example, a "Tumblr site" will have an web address similar to "usernamehere.tumblr.com". Unlike a vanity domain name, which must be registered and owned by someone, a Tumblr or Hubpages account can be opened using a free email address. This spares the spammer from needing to provide any personal information in exchange for having an Internet address and host to serve a website to visitors. The downside for spammers is the alacrity in which these sites generally respond to complaints concerning violations of acceptable use policies. Sending evidence to Tumblr of potential abuses, violations of terms of service or that the site serves no practical benefit to their target audience will usually result in a decision to terminate an account. It's not worth the trouble and there can be negative consequences, which any competent search engine optimization expert can explain.

    GoDaddy, which provides privately owned hosting accounts, responded to my complaints about the money site with standard form replies that defined general policies. I tried calling their abuse hotline number and got nowhere. As a preferred GoDaddy customer with a personal representative I figured that I would be able to have some help navigating to reach the right person. It wasn't happening. It was clear to that GoDaddy wasn't interested in taking action unless they could absolutely pin something more serious down to justify canceling a revenue stream. It was time to use classic wisdom - follow the money trail.

    Reducing Incentive to Spam: Remove the Revenue Source


    In the real world, law enforcement has jurisdiction over physical space within its domain. This would include a post office box at UPS ("United Parcel Service") or the office suite of a party that remains unlisted in a building directory. If the physical location is nearby, enforcement costs might be manageable and small claims court might be an option too. But when a proxy service is used, there is no way of knowing whether the culprit is located next door, the adjoining state or internationally. A great deal of time, effort and money may be expended and wasted just to determine whether any action is even worthwhile.

    Spammy websites have a tendency to disappear when the financial incentive to operate them dissipates. Most reputable companies running affiliate or advertising programs (such as Commission Junction and Google AdSense) will generally suspend an agreement quickly when reasonable evidence of trouble is presented. This may include signs of improper or abusive activities and violations of their terms of use. When an account is suspended or terminated, the revenue source for all websites under that account dries up simultaneously. Sever the tree trunk and the all the spammy branches wither.

    You may be able to obtain unique identifying information about an affiliate from the source code of their website. Choosing "view source" or control-U on your keyboard should display the source code of a web page in most web browsers. If you search through the source code, you should be able to find a uniquely identifying affiliate code. If you visit the store (in this example at store.bitdefender.com), you should be able to determine the affiliate program associated with these amazing offers. The most popular affiliate programs (in addition to in-house) are Commission Junction, Rakuten Linkshare, Avantgate, Clickbank, Shareasale and Amazon.

    google adsense affiliate code.png

    Using Google Code to Sneak Behind Domain Name Proxies


    If the site uses standard click advertising such as Google AdSense, it should have similar code in its source code. This time search for the word "Google" in the source code and you should be able to locate a Google AdSense publisher code nearby. Google AdSense publisher codes generally begins with "ca-pub" as you can see in the code snippet. Note that even if no click advertising is present, the website owner may be using Google Analytics tracking code - and that will work just as well. Look towards the footer to find Google Analytics code that begins with "GA" and copy this number, as seen on the image at left, below.

    google analytics code.png
    google analytics code reverse search.png

    Now visit a site that maintains a database of Google AdSense and Analytics tracking codes and can perform a reverse search, which you'll see above to the right. You'll typically be able to find several sites using the same AdSense or Analytics tracking code and one of them will probably not use a proxy. You can go to any WHOIS directory and look up each domain name. Sometimes you'll even get lucky and an SEO or spammer will use the code on in conjunction with a domain name which contains personally identifiable information. In this example, I was able to find both!

    Unfortunately in my case, it turned out that the person likely to be causing the spam problems is an SEO located in Malaysia. I have been using more effective measures lately but the bar continuously gets higher, especially if your website relies upon very popular web-based software such as Wordpress, WHMCS and other solutions. Using terms of service violations, DMCA takedown notices and other simple legal remedies will not always solve your problem but they are worth an efficient effort. While I've used a variety of other trade secrets to deal with abuse issues, they aren't simple and there should be a system in place which makes these types of problems easier to curtail.

    A Critical Difference Between Privacy and Proxy Services

    A very important distinction between these two similar services is enumerated by ICANN (Internet Corporation for Assigned Names and Numbers), the entity in charge of the registration of domain names. A “privacy service” is essentially a forwarding service for the "registrant" - the named, legal owner owner of the party registering a domain name. The registrant's name is listed in the "WHOIS directory" of the domain registrar (the company where you can purchase a domain) but the contact information of the privacy service appears. The privacy service receives inquiries which are forwarded to the client.

    When a “proxy service” like Domains By Proxy is used, the party purchasing the domain doesn’t actually “own” the domain – they merely control its use. Domains By Proxy is listed as the legal owner (registrant) of the domain name and license the use of the domain name to the party paying for the domain name's ownership. If you look at Section 1 of their Proxy Agreement, you’ll see the following clause:

    When You subscribe to DBP's private registration service through a DBP-affiliated Registrar, each available domain name registration You designate will thereafter be registered in the name of DBP, as Registrant. In exchange for DBP becoming the Registrant of each domain name registration on Your behalf, DBP shall keep Your name, postal address, email address, phone and fax numbers confidential, subject to Section 4 of this Agreement.​

    While Domains By Proxy is officially listed as the legal owner and party registering the domain name, the client retains the rights to use the name as per Section 2.

    Although DBP will show in the "Whois" directory as the Registrant of each domain name registration You designate, You will retain the full benefits of domain name registration with respect to each such domain name registration...​

    Immunity and Liability of Proxies as an Internet Service Provider


    The liability issue concerning domain name proxy services may not be as clear as it seems. Domains By Proxy only owns the legal rights of ownership of the domain name nortoncouponcodes.tld. The client is the owner and operator of a potentially offending website. But the relationship of a domain name proxy and website operator seems far more intimate than the relationship of a post office box company with a box renter or trademark licensor and licensee. The domain proxy exists solely to hide the identity of the owner in substance of the domain name. It is rare that the owner in substance isn't the same party responsible for activities using the domain name. Furthermore, the domain proxy must make an affirmative act to become the legal owner of the domain name. Shouldn't all of these factors confer greater responsibilities and liability upon domain name proxies? As far back as ten years ago, the question surfaced as to whether a domain name proxy is immune from liability as an "Internet Service Provider" under the DMCA (Digital Millennium Copyright Act) and the Communications Decency Act.

    In Paul McMann v. John Doe, 460 F.Supp.2d 259, Civ. Act. No. 06-11825-JLT (D. Mass., October 31, 2006), an unknown individual created a website denigrating the plaintiff which also used his real name (paulcmccan.com) and photograph. The plaintiff was rebuffed by Domains By Proxy in his attempts to determine the identity of the party registering and using the domain name. While ultimately the court decided that there was no subject matter jurisdiction to hear the case (the content on the site was considered "opinion" and not defamatory), the court did say something very interesting in dicta (judicial opinion or thoughts which have no direct bearing on the decision or direct outcome of the case):

    “In the present case, it is unclear whether Domains by Proxy, Inc., as a party arguably complicit in the allegedly defamatory speech by virtue of its registration assistance, would qualify for protection as an Internet Service Provider. Such an issue, however, must be addressed in a case where Domains by Proxy, Inc., is sued and has an opportunity to present arguments.”​

    If you read the Domains By Proxy legal terms of service as well as most web hosting services, these companies have virtually unfettered discretion to take action against clients in response to a very wide variety of complaints. While they might appear to have take severe actions upon whim, it doesn't mean that they will make a reasonable effort to police abuse when reasonable complaints arise. Section 4 of those legal terms permits "DBP" to:

    Take any other action DBP deems necessary:

    F. If the domain name for which DBP is the registrant on Your behalf violates or infringes a third party's trademark, trade name or other legal rights; and
    G. If it comes to DBP's attention that You are using DBP's services for purposes of engaging in, participating in, sponsoring or hiding Your involvement in, illegal or morally objectionable activities, including but not limited to, activities which are designed, intended to or otherwise:


    2. Defame, embarrass, harm, abuse, threaten, or harass third parties;
    3. Violate state, federal or international law;
    5. Are tortious, vulgar, obscene, invasive of a third party's privacy, racially, ethnically, or otherwise objectionable;
    6. Impersonate the identity of a third party;

    I notified Domains By Proxy of the webspam on my site that generated thousands of links to the nortoncouponcodes website and demanded the identity of the registrant of substance. They responded saying that I should contact GoDaddy to investigate the abuse since all they do is act as a shield and don't run or control the website. I responded by providing DBP with the fraudulent photo and contact information that appears on the nortoncouponcodes website and reminded that that it was clearly in violation of section (4)(F)(6) in addition to (4)(F)(3). DBP responded by essentially saying they wouldn't act unless they received a DMCA takedown ntoice from the person who owned the photograph. I responded reminding them that their legal terms empowered DBP to act using their reasonable judgment and sole discretion - it does not require a copyright violation or DMCA takedown notice. Even a sixth grader could easily determine that there was false impersonation and the likelihood of the use of "DBP's services for the purpose of engaging in, participatig in, sponsoring or hiding Your involvement in, illegal or morally objectionable activities..." That didn't matter. They responded curtly stating:

    Domains By Proxy may cancel the proxy service upon receipt of a pending UDRP dispute or lawsuit and may disclose its customer's contact information upon being served with a valid subpoena.​

    My interpretation of this response was that even if DBP had the power to act, they weren't going to make any judgment call short of virtual certainty. As a result, their service would make it an absurdly expensive proposition to simply find out against whom and in what jurisdiction I'd need to begin to take action. While the costs exceeded the benefits of a lawsuit in this instance, it's important for attorneys to take note that ICANN specifically confers legal responsibility upon domain name proxies:

    Whoever is listed as the Registered Name Holder must provide full contact information, and is the Registered Name Holder of record. Sometimes a Registered Name Holder may register a domain name and then allow another person to use the domain name (such as a website designer registering a domain name for a client). If this happens, and the person actually using the name did not enter into the Registrar/Registered Name Holder Agreement (referred to as a "third party" in the RAA), the Registered Name Holder could be accountable for wrongful use of the domain name by the third party. This will happen if the Registered Name Holder is provided with "reasonable evidence of actionable harm" from the third party’s use of the domain name. In that situation the Registered Name Holder will "accept liability for harm caused by wrongful use of the Registered Name," unless the Registered Name Holder discloses the user’s identity and current contact information.​

    Is the WHOIS Directory Becoming Useless?


    It's ironic that domain name ownership may be terminated by merely having outdated contact information. But there seems little concern to deal with the fact that the WHOIS directory is fast becoming a useless pile of straw companies like Domains By Proxy. Domain name registrars like Namecheap and Google Domains don't provide an option to register domains at a lower cost without privacy registration - they are bundled and built into the most basic fee.

    The ability to identify the owners and operators of virtual properties is arguably even more important than real property. Websites lack identifiable physical boundaries and are easy to place in places with little risk of litigation other than deep pockets. The privilege of domain name ownership demands some semblance of reasonable responsibility and accountability.
    Legal Practice:
    Practice - Law Firm Marketing, SEO
    Jurisdiction:
    • Other

    Michael M. Wechsler

    Michael M. Wechsler
    Michael M. Wechsler is an experienced attorney, founder of TheLaw.com and of-counsel to Kaplan, Williams & Graffeo, LLC. He was also an SVP and chief Internet strategist at Zedge.net and legal consultant at Kroll Ontrack, a leading service e-discovery and computer forensics service provider.

Comments

To make a comment simply sign up and become a member!